Defending Against a Dangerous New World

Transcription

1 Defending Against a Dangerous New World Jeff Scheidel Security Architect 1 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

2 Reference Architecture 2 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

3 Subscription-based Content Services Citizen Services Online Healthcare Business Transformation Social Retail Manufacturing Services MOST SIGNIFICANT Mobile Banking Cloud Services Social CRM Mobile Workforce IN 3 Copyright 2013, 2012, Oracle and/or its affiliates. All rights reserved.

4 Trend Mobile Device Use Identity-driven control Unified management Cross Channel Marketing 4 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

5 Trend Cloud Lifecycle Management Authentication as a service Cloud-based access portals Cloud identity store for SaaS apps User self-service Full reporting and audit 5 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

6 Trend Social Identity Leverage social and other IdPs OAuth and OpenID Simplified registration and interactions Secure experience Social trust 6 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

7 2013 : A Good Year For Hackers New Methods, Same Intentions 7 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

8 Malware 8 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

9 Denial of Service 9 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

10 Phishing 10 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

11 Phishing examples April - journalist phished, hacked AP's twitter acct phony tweet about WH explosion market plunged; $136.5B drop in the S&P 100-plus US companies phished mfg processes biz plans communications data RSA!!! Phishing scams disguised as warnings about phishing Phishing scams aimed at oil execs, military contractors, and lawyers 11 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

12 Vulnerabilities 12 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

13 Bad code OS command injection cross-site scripting unrestricted file uploads URL redirects buffer overflow parameter tampering no integrity checks XML poisoning SQL injection 13 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

14 2013 Hacking Highlights Eastern Europe: bank attacks, retail, extortion Asia: infrastructure, industrial espionage 14 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

15 2013 Hacking Highlights Facebook s and phone nbrs for 6M users exposed for UP TO A YEAR Similar flaw found after 24 hours Drive-by attack on employees Drupal open source content management Exposed names, s, other info Flaw in 3rd party software LivingSocial - ecommerce 50 million sets of usernames, pwds, s, DOB Upside? separate network with cc info, for PCI compliance 15 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

16 2013 Hacking Highlights Zendesk - customer support portal thousands of addresses and support messages users from Pinterest, Twitter, Tumblr like Zappos - oh gee, it's just addresses, right? CorporateCarOnline - limo reservation package leaked info for 850K clients Credit cards - celebs with no credit limit Notes about behaviors and routines Adobe ColdFusion vulnerability Third party hosting the data 16 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

17 2013 Hacking Highlights Evernote - mobile data storage Detected breach, reset pwds for 50M users Response? two-factor auth strong pwds, protected with hashing and salting MongoHQ - database as a platform Thousands of cloud users: s, pwds, acct info Attackers could access Amazon web svc storage accts (client db s!!!!!) Via compromised personal acct Misconfigured security appliances 17 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

18 2013 Hacking Highlights Target New York Times Govt-sponsored espionage Targeted two reporters working on a report critical of a foreign govt 18 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

19 The BIG news? Stolen creds Social engineering Funky location 19 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

20 Advanced Persistent Threat Smart people Dedicated people People with a purpose 20 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

21 Iterative attacks Monster.COM stolen ids lead to phishing ESTsoft faked creds, uploaded malware, stolen info Nortel TJX / Heartland 21 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

22 Do you appreciate the threat? Some people get it Some people don t You can t protect against it if you don t know what it is Have a risk assessment plan Pick your targets 22 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

23 How does compliance factor in? Is compliance the same as security? What s the perfect model? Where do they intersect? LEAST PRIVILEGE & VALIDATION 23 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

24 67 % Records breached from servers 76 % Breached using weak or stolen credentials Over 1.1B Served 69 % Discovered by an external party 97 % Preventable with basic controls 24

25 So what to do? Common sense policies Account sharing Configurations Least privilege Awareness Third party security Data on devices Patches / updates Common sense defenses Risk assessment Database Privileged users Apps and web services Strong authentication Intelligent authorization 25

26 Reference Architecture 26

27 Defense in Depth Database Security Protect against bad SQL Encryption and Masking Privileged User Controls Multi-Factor Authorization Activity Monitoring and Audit Secure Backup & Configuration Information Identity and Access Infrastructure Databases Applications Content User Provisioning Roles and SoD Entitlements Management Risk-Based Access Control Directory Firewalling Web Service Security Mobile and Social 27 27

28 Multi-dimensional value proposition Security as defense Security as protection of IP Security as compliance Security as a vehicle for packaging and presenting new products and services 28

29 Why are Databases so Vulnerable? 80% of IT Security Programs Don t Address Database Security Forrester Research Network Security Enterprises are taking on risks that they may not even be aware Authentication & User Security SIEM of. Especially as more and more attacks against databases exploit legitimate access. Security Database Security Endpoint Security Web Application Firewall 30

30 Database Security Approaches Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 31

31 Database Security Approaches Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 32

32 Encryption is the Foundation Preventive Control for Oracle Databases Protect data from file system intrusions Transparent data encryption Prevents access to data at rest Requires no application changes Built-in two-tier key management Near Zero overhead with hardware Integrations with Oracle technologies e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc. Applications Disk Backups Exports Off-Site Facilities 33

33 Redaction of Sensitive Data Displayed Least privilege at a field level Customer service and other need to know Real-time sensitive data redaction based on database session context Library of redaction policies and pointand-click policy definition Consistent enforcement, policies applied to data Transparent to applications, users, and operational activities Credit Card Numbers Redaction Policy xxxx-xxxx-xxxx Call Center Application Billing Department 34

34 Masking Data for Non-Production Use Preventive Control for Oracle Databases Data Masking Replace sensitive application data Referential integrity detected/preserved Extensible template library and formats Application templates available For PCI, masking or compensating control LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 Production Test Dev Non-Production LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 Production 35

35 Privileged User Controls Preventive Control for Oracle Databases Segregation of Duties for DBMS Limit DBA access to application data Multi-factor SQL command rules Realms create protective zones Enforce enterprise data governance, least privilege, segregation of duties Out of the box application policies Applications Procurement HR Finance Security DBA select * from finance.customers Application DBA DBA 36

36 Privileged User Management / Enablement Databases, operating systems, critical apps Centrally managed passwords Check-in, check-out Automatic password change / expiration 37

37 Database Security Approaches Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 38

38 Stopping the ultimate attacks on the DB SQL Injection Protection with Positive Security Model SELECT * from stock where catalog-no='phe8131' White List Allow Applications SELECT * from stock where catalog-no= ' union select cardno,0,0 from Orders -- Block Databases Allowed behavior can be defined for any user or application Automated white list generation for any application Out-of-policy database transaction detected and blocked/alerted 39

39 Stopping the ultimate attacks on the DB Enforcing Database Activity with Negative Security Model SELECT * FROM v$session Black List DBA activity from Application? DBA activity from Approved Workstation SELECT * FROM v$session Block Allow + Log Stop specific unwanted SQL interactions, user or schema access Blacklisting can be done on factors such as time of day, day of week, network, application, user name, OS user name etc Provide flexibility to authorized users while still monitoring activity 40

40 Oracle Audit Vault and Database Firewall Solution for Oracle and Non-Oracle Databases Users Applications Database Firewall Allow Log Alert Substitute Block Firewall Events SOC Alerts! Auditor Built-in Reports Audit Data Security Analyst Custom Reports Policies Audit Vault OS, Directory, File System & Custom Audit Logs 41

41 Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 42

42 Identify the bodies, give them rights, then keep checking Identity Governance Access Management Lifecycle Management & 360 visibility Regular & Privileged identities Complete access control & SSO Fraud Detection Converged Policy Administration & Control Directory Services LDAP, Virtualization Fraud & Meta-directory Detection Unified Administration & Management 43

43 Identity, Access, Source Integration, openness Governance Access Directory Password Management Request & Approval Roles based User Provisioning Analytics, Policy Monitoring Risk-based Certification Single Sign-On & Federation Web Services Security Authentication & Fraud Prevention Authorization & Entitlements LDAP Storage Virtualized Identity Access LDAP Synchronization Platform Identity Services for Developers 44

44 Enable, Disable, Change Mgmt Identity Management Assign Cell Phone Subscribers Self Registration Approval Manual Task Provisioned User Identity Store Role Access Policy & Compliance Checks Automated Workflow Connector New/Updated Subscriber New/Updated Staff Subscriber System HR Reconciliation Engine In case of Updates { Revoked unnecessary User Access 45

45 Keep everybody in the box Closed-Loop Functional Architecture Data Cleanup & Controls Reconcile Identity Administration Continuous Compliance & Certification Provisioning Policy Administration Provisioning Orchestration 46

46 Oracle Directory Services Plus Virtual Directory Internet Directory Directory Server Enterprise Edition Unified Directory Aggregate without synchronization Re-use existing native identity stores LDAP standards compliant Enterprise grade directory services Directory sync & consolidation AuthN Service for Operating Systems Centralized Auth & Password Policy for all Unix OS flavors (Add-on to OID) Central, High Scalable Directory Store LDAP Authentication for disparate environment Seamless, non intrusive synchronization (of users, passwords, groups) with AD LDAP Authentication for disparate environment Directory Virtualization Capability Highly Extendible Highest Performance for up to few millions entries 47 (*) OpenDS inheritance

47 Risk-Aware Security & Access Control Secure Login Adaptive, Continuous Risk Calc Model Risk Events Detect Anomalies Challenge or Block Analysis and Forensics User Profile Device Fingerprint IP area / Geo-location Pattern / anomaly detection Auto-learning OTP Challenge questions Block Alert Forensics 48

48 Entitlements Vision Security within Applications Authentication IDM Admin U.I. OTP (SMS, IM, ) SMS/ IM/ / Server Authorizations Risk Manager Federation Web Application Other Web App etc Entitlements Federation IdP / SdP Directory Services Full Access Services Framework Extendible to Entitlements within Java /.NET Applications 49

49 Security for REST and Mobile Devices Mobile Browser Clients OIC Client Mobile Web Service Clients HTTP / REST / SOAP / OAUTH Access Manager Mobile & Social Identity Manager Adaptive Access Mgr OWSM OWSM Service Bus OWSM Web Services Corporate DMZ Uniform & consistent security across clients Mobile Single Sign-On & Multifactor Authn User & Device Registration, Password Management Authorization and routing Data Redaction & Enrichment Corporate Network Threat detection SSL and Certificate based authentication Rate limiting (Throttling) and Metering Protocol transformation ID Context Propagation Legacy Services 50

50 Mobile Device Security Securing containerized apps / Corporate DMZ Corporate Network Containerized Apps Webgate / OHS OAM Protected Resources Oracle Access Manager With Mobile & Social Oracle Adaptive Access AppTunnel Active Directory OUD Oracle Mobile Access Server Oracle Mobile Security Admin Console SOAP/REST and Legacy Web Services 51

51 Numbers to remember Oracle s security practice $1 Billion 600 team members 34 countries 30,000 customers 52

52 53 Copyright 2013, Oracle and/or its affiliates. All rights reserved.